Douglas Otis wrote: > While DNSSEC may protect against data corruption, So does TCP, UDP or SCTP checksum. A problem is that such protection does not valid over a chain of certificate authorities or caching servers. > such protection > depends upon the thorny problem of verifying a key will be solved in a > practical and politically acceptable manner. If the protection by a chain of untrustworthy certificate authorities of DNSSEC is practically acceptable, a protection by a chain of untrustworthy caching servers of plain old DNS is also practically acceptable. Moreover, plain old DNS is already practically accepted. Though there seems to be some confusion that DNSSEC security were end to end, below is an excerpt from an authentic document by David Clark on how PKI, including DNSSEC, involves certificate authorities of third parties. http://portal.acm.org/citation.cfm?doid=383034.383037 Public-key certificates An important role for a third party occurs when public key cryptography is used for user authentication and protected communication. A user can create a public key and give it to others, to enable communication with that user in a protected manner. Transactions based on a wellknown public key can be rather simple two-party interactions that fit well within the end to end paradigm. However, there is a key role for a third party, which is to issue a Public Key Certificate and manage the stock of such certificates; such parties are called certificate authorities. The certificate is an assertion by that (presumably trustworthy) third party that the indicated public key actually goes with the particular user. So, though communication between an end user and a certificate authority can be end to end, the entire system of PKI is not. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf